[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8701) account usability control for password less logins

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8701) account usability control for password less logins
From: benjamin.chang@oracle.com
Date: Mon, 28 Aug 2017 21:36:46 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

This is a multi-part message in MIME format.
--------------6CCE37E19DCAC5B8EF15AF2F
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

Please disregard the previous workaround proposal, it was incorrect. The 
corrected workaround proposal:

The idea is to determine the account/password state on the client side 
(since there's no easy way to get the server to provide the state 
without using the user's password). This was accomplished in a prototype 
by retrieving the /pwdPolicySubentry/, the policy setting, other 
operational attributes such as /pwdChangedTime/, /pwdAccountLockedTime/, 
/pwdFailureTime/, and /pwdGraceUseTime/. These were used to determine 
the account/password state.

Is this reasonable and safe to do?


On 08/02/2017 07:31 AM, Ben Chang wrote:
> Question about a proposed workaround:
>
> Would it be possible to use slapo-ppolicy to set the pwdPolicySubentry 
> attribute for each user to provide the desired 
> 1.3.6.1.4.1.42.2.27.9.5.8 control response (see 
> http://ldapwiki.com/wiki/Account%20Usability%20Request%20Control), 
> i.e., can pwdPolicySubentry be used supply the sub-entry and related 
> operational attributes needed to validate users for password-less logins?
>


--------------6CCE37E19DCAC5B8EF15AF2F
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Please disregard the previous workaround proposal, it was
      incorrect. The corrected workaround proposal:</p>
    <p> The idea is to determine the account/password state on the
      client side (since there's no easy way to get the server to
      provide the state without using the user's password). This was
      accomplished in a prototype by retrieving the <i>pwdPolicySubentry</i>,
      the policy setting, other operational attributes such as <i>pwdChangedTime</i>,
      <i>pwdAccountLockedTime</i>, <i>pwdFailureTime</i>, and <i>pwdGraceUseTime</i>.
      These were used to determine the account/password state.</p>
    <p>Is this reasonable and safe to do? </p>
    <br>
    <div class="moz-cite-prefix">On 08/02/2017 07:31 AM, Ben Chang
      wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:52bb394d-41f9-746e-28d9-200370b94fbe@oracle.com">Question
      about a proposed workaround:
      <br>
      <br>
      Would it be possible to use slapo-ppolicy to set the
      pwdPolicySubentry attribute for each user to provide the desired
      1.3.6.1.4.1.42.2.27.9.5.8 control response (see
      <a class="moz-txt-link-freetext" href="http://ldapwiki.com/wiki/Account%20Usability%20Request%20Control";>http://ldapwiki.com/wiki/Account%20Usability%20Request%20Control</a>),
      i.e., can pwdPolicySubentry be used supply the sub-entry and
      related operational attributes needed to validate users for
      password-less logins?
      <br>
      <br>
    </blockquote>
    <br>
  </body>
</html>

--------------6CCE37E19DCAC5B8EF15AF2F--

Prev by Date: Re: (ITS#8714) RFE: Sendout EXTENDED operation message in back-sock
Next by Date: Re: (ITS#8485) [PATCH] Adding support for encrypted server private keys
Index(es):
- Chronological
- Thread